FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second.

ADVANCES IN CRYPTOLOGY - EUROCRYPT 2015, PT I, (2015): 617-640

Cited by: 312|Views232
EI

Abstract

The main bottleneck affecting the efficiency of all known fully homomorphic encryption (FHE) schemes is Gentry's bootstrapping procedure, which is required to refresh noisy ciphertexts and keep computing on encrypted data. Bootstrapping in the latest implementation of FHE, the HElib library of Halevi and Shoup (Crypto 2014), requires abou...More

Code:

Data:

Introduction
  • Since Gentry’s discovery of the first fully homomorphic encryption (FHE) scheme [15], much progress has been made both towards basing the security of FHE on more standard and well understood security assumptions, and improving the efficiency of Gentry’s initial solution.

    On the security front, a sequence of papers [2,5,8,9,16] has lead to FHE schemes based on essentially the same intractability assumptions underlying standard lattice based encryption.
  • The scheme of [2] uses a homomorphic cryptosystem that encrypts integers modulo q, and allows the efficient computation of scalar products.
  • The main idea to perform this encrypted NAND computation is to assume that the input ciphertexts are available in a slightly different form.
Highlights
  • Since Gentry’s discovery of the first fully homomorphic encryption (FHE) scheme [15], much progress has been made both towards basing the security of fully homomorphic encryption on more standard and well understood security assumptions, and improving the efficiency of Gentry’s initial solution.

    On the security front, a sequence of papers [2,5,8,9,16] has lead to fully homomorphic encryption schemes based on essentially the same intractability assumptions underlying standard lattice based encryption
  • The goal of this paper is to investigate to what extent the running time of a useful fully homomorphic encryption bootstrapping procedure can be reduced
  • The main improvement with respect to previous work is in terms of granularity and simplicity: we effectively show that half hour delays are not a necessary requirement of bootstrapped fully homomorphic encryption computations, FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second 619 and bootstrapping itself can be achieved at much higher speeds than previously thought possible
  • We introduce a ring variant of the bootstrapping method of [2] that supports efficient homomorphic computation of scalar products modulo q
  • We describe the high level structure/design of our fully homomorphic encryption scheme. (This private-key fully homomorphic encryption scheme can be transformed into a public-key one using standard techniques.) The encryption scheme itself is just the standard LWE symmetric encryption described in Section 3
  • We have shown that a complete bootstrappable homomorphic computation can be performed in a fraction of a second, much faster than any previous solution
Results
  • (The authors will see later how to perform the required transformation.) Namely, assume that the input bits m0, m1 ∈ {0, 1} are encrypted as ciphertexts ci ∈ LWE4s/q using a slighly different message modulus t = 4 and error bound E = q/16.
  • As in all previous works on FHE, the ciphertext refreshing is based on Gentry’s bootstrapping technique of homomorphically evaluating the decryption function.
  • In the setting, given an LWE ciphertext (a, b) ∈ LWE2s/q(m), the authors compute an encryption E(m) of the same message under a different encryption scheme E by homomorphically evaluating the LWE decryption procedure (2) on the encrypted key E(s) to yield
  • In this subsection the authors prove that ACC is a correct Homomorphic Accumulator Scheme for an appropriate error function E.
  • Assuming the hardness Ring-LWER,Q,χ the above Homomorphic Accumulator Scheme is E-correct with error function
  • The ciphertext c ∈ LWEtz/Q(msb(v)) as define in line 2 of algorithm 2 while computing msbExtract(ACC) has an error err(c) which is a subgaussian with variable parameter β and mean 2δ under the randomness used in the calls to Ez(·), for β = O.
  • The authors choose the secret key s of the LWE scheme to be binary in order to minimize the final error parameter E that depends on s (Theorem 10).
  • The secret z ∈ R of the Ring-GSW scheme follows the discrete gaussian distribution χς (0), and the errors follow the gaussian randomized rounding function χς .
Conclusion
  • The authors' Refresh procedure produces a ciphertext with subgaussian error of parameter α = O(n2 log n) in the scheme against α = Θ(n5/2 log3 n/log log n) in [2].
  • To build an distinguisher against LWE in dimension n, modulus q and a randomized rounding function χ of standard deviation σ, Lindner and Peikert estimate that the best known attack by lattice reduction requires to achieve a root Hermite factor of δ = δ-LWE(n, q, σ, ) = 2/(4n log2 q) where ρ = (q/σ) · 2 ln(1/ε) (5)
  • Other interesting open problems are finding ways to fully exploit the message space offered by ring LWE encryption in the accumulator implementation, and combining the framework with the CRT techniques of [2].
Funding
  • This research was supported in part by the DARPA PROCEED program and NSF grant CNS-1117936
Reference
  • Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 1–20. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014)
    Google ScholarLocate open access versionFindings
  • Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)
    Google ScholarLocate open access versionFindings
  • Blum, A., Furst, M.L., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994)
    Google ScholarFindings
  • Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012)
    Google ScholarLocate open access versionFindings
  • Brakerski, Z., Gentry, C., Halevi, S.: Packed ciphertexts in LWE-based homomorphic encryption. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 1–13. Springer, Heidelberg (2013)
    Google ScholarLocate open access versionFindings
  • Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehle, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J., (eds.), 45th ACM STOC, pp. 575–584. ACM Press, June 2013
    Google ScholarLocate open access versionFindings
  • Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 97–106. IEEE Computer Society Press, October 2011
    Google ScholarLocate open access versionFindings
  • Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)
    Google ScholarLocate open access versionFindings
  • Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20.
    Google ScholarLocate open access versionFindings
  • Ducas, L., Micciancio, D.: Implementation of FHEW (2014). https://github.com/lducas/FHEW
    Findings
  • Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 335–352. Springer, Heidelberg (2014)
    Google ScholarLocate open access versionFindings
  • Frigo, M., Johnson, S.G.: The design and implementation of FFTW3. Proceedings of the IEEE 93(2), 216–231 (2005). Special issue on “Program Generation, Optimization, and Platform Adaptation”
    Google ScholarLocate open access versionFindings
  • Gentleman, W.M., Sande, G.: Fast fourier transforms: For fun and profit. In: Proceedings of the November 7–10, 1966, Fall Joint Computer Conference, AFIPS 1966 (Fall), pp. 563–578. ACM, New York, NY, USA (1966)
    Google ScholarLocate open access versionFindings
  • Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May / June 2009
    Google ScholarLocate open access versionFindings
  • Gentry, C., Halevi, S.: Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 107–109. IEEE Computer Society Press, October 2011
    Google ScholarLocate open access versionFindings
  • Gentry, C., Halevi, S.: Implementing Gentry’s fully-homomorphic encryption scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129– 148. Springer, Heidelberg (2011)
    Google ScholarFindings
  • Gentry, C., Halevi, S., Peikert, C., Smart, N.P.: Ring switching in BGV-style homomorphic encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 19–37. Springer, Heidelberg (2012)
    Google ScholarLocate open access versionFindings
  • Gentry, C., Halevi, S., Smart, N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 1–16. Springer, Heidelberg (2012)
    Google ScholarLocate open access versionFindings
  • Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482.
    Google ScholarLocate open access versionFindings
  • Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012)
    Google ScholarLocate open access versionFindings
  • Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92.
    Google ScholarLocate open access versionFindings
  • Halevi, S., Shoup, V.: Algorithms in HElib. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 554–571. Springer, Heidelberg (2014)
    Google ScholarLocate open access versionFindings
  • Halevi, S., Shoup, V.: Bootstrapping for HElib. IACR Cryptology ePrint Archive, (2014). http://eprint.iacr.org/2014/873
    Locate open access versionFindings
  • Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)
    Google ScholarLocate open access versionFindings
  • Lidl, R., Niederreiter, H.: Finite Fields. Reading, MA: Addison-Wesley. Encyclopedia of Mathematics and its Applications 20 (1983)
    Google ScholarLocate open access versionFindings
  • Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)
    Google ScholarLocate open access versionFindings
  • Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: An update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309.
    Google ScholarLocate open access versionFindings
  • Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)
    Google ScholarLocate open access versionFindings
  • Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54.
    Google ScholarLocate open access versionFindings
  • Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: 43rd FOCS, pp. 356–365. IEEE Computer Society Press, November 2002
    Google ScholarLocate open access versionFindings
  • Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R., (eds.), 37th ACM STOC, pp. 84–93. ACM Press, May 2005
    Google ScholarLocate open access versionFindings
  • Schatzman, J.C.: Accuracy of the discrete fourier transform and the fast fourier transform. SIAM J. Sci. Comput. 17(5), 1150–1166 (1996)
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科